Here, it was not defined by the law “What is sensitive personal data or information” and though explanation of “reasonable security practices and procedures” has been provided it is too vague and open for interpretation.
Hence, to address the issue, on February 7, 2011, the Department of Information Technology, published draft rules titled (The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011) in exercise of the powers conferred by Section 87(2) (ob), read with Section 43A of the Information Technology Act, 2000.
Its features are as follows:-
Rule 3 defines Sensitive personal data or information which includes,
Information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :-
(i) password,
(ii) user details as provided at the time of registration or thereafter,
(iii) information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users,
(iv) Physiological and mental health condition,
(v) Medical records and history,
(vi) Biometric information,
(vii) Information received by body corporate for processing, stored or processed under lawful contract or otherwise,
(viii) Call data records.
Provided the information available under the Right to Information Act or any other law shall not be treated as Sensitive personal data or information.
Print Page
Hence, to address the issue, on February 7, 2011, the Department of Information Technology, published draft rules titled (The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011) in exercise of the powers conferred by Section 87(2) (ob), read with Section 43A of the Information Technology Act, 2000.
Its features are as follows:-
Rule 3 defines Sensitive personal data or information which includes,
Information collected, received, stored, transmitted or processed by body corporate or intermediary or any person, consisting of :-
(i) password,
(ii) user details as provided at the time of registration or thereafter,
(iii) information related to financial information such as Bank account / credit card / debit card / other payment instrument details of the users,
(iv) Physiological and mental health condition,
(v) Medical records and history,
(vi) Biometric information,
(vii) Information received by body corporate for processing, stored or processed under lawful contract or otherwise,
(viii) Call data records.
Provided the information available under the Right to Information Act or any other law shall not be treated as Sensitive personal data or information.
No comments:
Post a Comment